Professional Documents
Culture Documents
The Norwegian University of Science and Technology Department of Production and Quality Engineering June 2008
Preface
This report is the result of the master project executed Spring 2008, and is the nal step in graduating as an Engineer with a Msc degree from The Norwegian University of Science and Technology (NTNU). The master project is in collaboration with Aker Subsea AS, which is part of the Subsea Business Area within Aker Solutions. Aker Subsea provides leading oil production systems and equipment located sub-surface, and recent projects are Morvin (North Sea), Kristin (Noth-Sea), Reliance KG-D6 (India) and Dalia (Angola). The work has been performed partly in Trondheim at the facilities of the Department of Production and Quality Engineering (IPK), and at Aker Solutions head quarters outside of Oslo. A very special thanks to my supervisor and professor Marvin Rausand (NTNU) who has been helpful with thorough guidance throughout the master project. Another person that deserves attention is Linn Nordhagen (Aker Engineering and Technology) who has provided helpful information on LOPA from a practical perspective, and given comments to the nal product. Gratitude must be expressed toward Aker Subsea and Thor Kjetil Hallan for offering ofce space, and providing information. Others that should be mentioned are: Katrine Harsem Lund (Scandpower risk management. AS), Bjrn Solheim (BP) and Hanne Roln (Aker Subsea). Particular gratitude must be expressed to my father, Petter O. Lassen, for advice and support throughout my entire education.
Contents
List of Tables List of Figures 1 Introduction 1.1 Introduction to LOPA . . . . . . . 1.2 Objectives . . . . . . . . . . . . . 1.3 Limitations and structure . . . . 1.4 Relation to IEC 61508 and 61511 IV V 1 1 2 2 3
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
2 Methods in determining SIL 2.1 Quantitative method as described in IEC 61508 2.2 Risk matrix . . . . . . . . . . . . . . . . . . . . . . 2.3 Safety layer matrix . . . . . . . . . . . . . . . . . 2.4 The OLF 070 guideline . . . . . . . . . . . . . . . 2.5 Risk graph . . . . . . . . . . . . . . . . . . . . . . 2.6 Calibrated risk graph . . . . . . . . . . . . . . . . 3 LOPA 3.1 What is LOPA? . . . . . . . . . . . . . . . 3.2 Explanation of terms . . . . . . . . . . . 3.3 The LOPA team . . . . . . . . . . . . . . 3.4 LOPA worksheet and the LOPA process 3.5 Different approaches in literature . . . 3.6 Aker E&T methodology . . . . . . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
6 . 6 . 8 . 9 . 11 . 11 . 15 18 18 22 25 25 29 30
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
4 Preferred approach 32 4.1 Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2 Comments to the preferred LOPA approach . . . . . . . . . . . . . . 39 5 Interface with HAZOP 5.1 Introduction to HAZOP . . . . . . . . . . 5.2 HAZOP integration . . . . . . . . . . . . . 5.3 Adjustments and transformation of data 5.4 HAZOP / LOPA program specication . . II 41 41 41 44 44
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
5.5 Illustration of software program . . . . . . . . . . . . . . . . . . . . . 46 6 Case study: Applicability of LOPA 6.1 Case text . . . . . . . . . . . . . . 6.2 Introduction to system . . . . . . 6.3 LOPA applied on the case study . 6.4 Comments to the result . . . . . 6.5 Implications during the case . . 49 49 49 52 58 59 60 66 67 73
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
7 Conclusions and recommendations for further work A Basic concepts B Software schematic C Case study: Worksheet
III
List of Tables
1.1 SIL for safety functions operating in low demand of operation adapted from IEC 61511 (2003) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 2.2 2.3 2.4 2.5 Risk classication of accidents adapted from IEC 61508 . . . . . . Frequency of hazardous event likelihood adopted from IEC 61511 SIL requirement table adopted from OLF 070 . . . . . . . . . . . . Classication of risk parameters adopted from IEC 61511 . . . . . Example calibration adapted from IEC 61511 . . . . . . . . . . . . . . . . . 7 10 12 13 16
3.1 Important columns in the LOPA report / worksheet adapted from IEC 61511 (2003) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1 Target mitigated event likelihood for safety hazards adapted from Nordhagen (2007) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.2 Typical frequency values assigned to initiating causes adapted from CCPS (2001) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.3 PFDs for IPLs adapted from CCPS (2001) and BP (2006) . . . . . . . 37 5.1 Process HAZOP worksheet adopted from Rausand (2005) . . . . . . 42 6.1 Initiating cause frequencies . . . . . . . . . . . . . . . . . . . . . . . . 53 6.2 IPL PFDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
IV
List of Figures
1.1 Safety lifecycle (IEC 61508, 2003) . . . . . . . . . . . . . . . . . . . . . 4
2.1 Typical risk matrix modied for SIL determination adapted from (Marszal and Scharpf, 2002) . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 Safety layer matrix diagram adapted from IEC 61511 (2003) . . . . . 10 2.3 Typical risk graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.1 Risk analysis procedures adopted from Rausand and Hyland (2004) 3.2 The LOPA onion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Relation between initiating causes, impact event, process deviation and IPLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Extract of SIL determination methodology from Ellis and Wharton (2006) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Aker E&T methodology adapted from Nordhagen (2007) . . . . . . . 18 20 24 30 31
4.1 Preferred approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.1 Relationship between HAZOP and LOPA worksheets . . . . . . . . . 43 6.1 SPS and separator schematic . . . . . . . . . . . . . . . . . . . . . . . 50 6.2 Relation between initiating causes, impact event, process deviation and PLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 B.1 B.2 B.3 B.4 B.5 Step 1 Step 2 Step 3 Step 4 Step 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 69 70 71 72
Abbreviations
AIChE Aker E&T AMV BP BPCS CCF CV DHSV ESD EUC FTA FMECA FPSO HAZID HAZOP HCM HIPPS HPU IEL IPL LOPA MEL MV OREDA PCV PFD P&ID PIG PL PSD PSDV PST American Institute of Chemical Engineers Aker Engineering & Technology annulus master valve British Petroleum basic process control system common cause failures control valve downhole safety valve emergency shutdown equipment under control fault tree analysis failure modes, effects, and criticality analysis oating production, storage and ofoading vessel hazard identication study hazard and operability study HIPPS control module high integrity pressure protection system hydraulic pump unit intermediate event likelihood independent protection layer layer of protection analysis mitigated event likelihood master valve (PMV) Offshore Reliability Data production choke valve probability of failure on demand piping and instrumentation diagram pipeline inspection gauge protection layer process shutdown process shutdown valve pressure safety transmitter
VI
PSV PT QRA ROV SCM SEM SIF SIL SIS SPS TMEL TT VB WV XV XT
pressure safety valve pressure transmitter quantitative risk analysis remotely operated vehicle susbea control module electronic control module safety instrumented function safety integrity level safety instrumented system subsea production system target mitigated event likelihood temperature transmitter Visual Basic wing valve (PWV) cross-over valve (XOV) X-mas tree (XMT)
VII
Summary
Layer of protection analysis (LOPA) and other safety integrity level (SIL) determination methods have been described, and the terms used in LOPA have been thoroughly dened and claried. Different views on LOPA found in literature have been presented, and a preferred / recommended LOPA approach has been developed and described. This preferred approach has also been applied on a case study based on systems from Aker Engineering and Technology and Aker Subsea. The interface between LOPA and hazard and operability study (HAZOP) has been discussed, and it has been presented how an integrated software tool could work. The SIL is a measure of the availability of a protection layer or barrier. Protection layers include basic process control system (BPCS), critical alarms and human intervention, safety instrumented functions (SIF), physical protection and emergency response. All these mitigate the frequency of the occurrence of the potential unwanted end-consequence or mitigate the impact the endconsequence represents. LOPA is a tool to determine the SIL of a SIF and evaluates the other protection layers individually by looking at the risk mitigation they lead to. Other tools are the quantitative method described in IEC 61508, the OLF 070 guideline, risk matrix, safety layer matrix, risk graph and the calibrated risk graph. Except from the quantitative method in IEC 61508 and the OLF 070 guideline these are graphical and qualitative methods which are simpler than LOPA. These SIL determination methods do not differentiate between the individual risk mitigation the protection layers lead to. A clear understanding of the terms in LOPA is important, and a clear methodology essential to ensure a strong framework. The following relationship between terms are dened: The initiating causes lead to a process deviation, which again may lead to an impact event that may result in an end-consequence. Protection layers are introduced previously and subsequently to the impact event. An example is the initiating cause slippery road which lead to the impact event car crash. The car crash has an end-consequence of three fatalities. In order to prevent this fatal outcome, protection layers as rigid car body, air-bags, and traction control may serve as protection layers. The preferred LOPA approach developed during the master thesis is based on the one in IEC 61511, taking the views from other methodologies in literature VIII
into account. The impact event is the starting point of the analysis. The frequency of the initiating events are multiplied with the probability of failure on demand for all credited independent protection layers. In addition occupancy and ignition probability (if applicable) is multiplied with the result. The nal value is denoted the intermediate event likelihood. This is the frequency of the occurrence of the end-consequence with the existing protection layers in place. By comparing this with a target frequency measure, the needed SIL is estimated. HAZOP is a hazard identication method often applied previously or simultaneously to a LOPA. By integrating HAZOP and LOPA a high quality analysis, requiring less resources, may be the result. HAZOP has information in common with LOPA and some information have to be transformed. A software tool used to combine and integrate the two methods is benecial. Such a tool is advanced, and must incorporate a complex issue like the implementation of expert judgment, which is important in LOPA. The denition of terms and the preferred approach have proved to be benecial when applying LOPA during the case study. An extensive issue during this process has been which protection layers that are independent, and which that are not. This requires understanding of basic reliability concepts, but also a great amount of process and system understanding. The concept of independent protection layers should be evaluated further, and together with facilitating expert judgment during LOPA and in eventual software tools, these are considered the main challenges.
IX
Chapter 1
Introduction
1.1 Introduction to LOPA
Offshore accidents may result in causalities and economic loss. Determining specic safety requirements of safety systems is an important part in ensuring that accidents are prevented. In the 1990s the standards IEC 61508 and IEC 61511 emerged, and the need for documenting compliance with these in a consistent manner led to the introduction of the layer of protection analysis (LOPA). In chemical processes several protection layers are used, and in LOPA the number and the strength of these protection layers are analyzed. LOPA can be considered as a simplied form of a quantitative risk assessment. It can be used after a hazard and operability analysis (HAZOP), and before a quantitative risk analysis (QRA). A difference between LOPA and other tools is that LOPA analyzes the different protection layers individually, and the mitigation they lead to. LOPA is especially used to determine the safety integrity level (SIL) of safety instrumented functions in conjunction with IEC 61511, but also as a general risk assessment tool to evaluate if the protection layers in a system are satisfactory. In addition, several other applications as capital improvement planning, incident investigation and management of change can be found. The method is not used to a large extent in Norway, but widely implemented internationally. In gas / oil industry LOPA is more frequently applied on topside equipment than subsea equipment The concept of protection layers was rst covered in the book Guidelines for Safe Automation of Chemical Processes published by the Center of Chemical Process Safety (CCPS), a section of the American Institute of Chemical Engineers (AIChE), in 1993. These thoughts were developed further by the industry resulting in internal procedures (Dowell, 1998). In 2001 the CCPS published the book Layer of Protection Analysis, Simplied Risk Assessment describing the LOPA method (Gowland, 2006). The method is also described in Part III Annex F of IEC 61511. Extensive literature can be found on LOPA, and stepwise approaches are given both in IEC 61511 and CCPS (2001). The terms vary among
different authors, and denitions and interpretations of terms like scenario and independent protection layers (IPL) may be confusing.
1.2 Objectives
The objective of the master project is to gain extensive knowledge of various methods to allocate requirements to safety instrumented systems, with focus on layer of protection analysis (LOPA). As a part of this the following aspects shall be covered: Carry out a literature survey and compare and discuss the different approaches to LOPA found in the literature. Give a thorough presentation of a recommended LOPA approach. The approach shall be stepwise with a clear description of each step. Dene and clarify all basic concepts of the recommended LOPA approach. Identify and describe interfaces between LOPA and other risk analysis methods (especially HAZOP) Discuss pros and cons related to LOPA - and especially the limitations of LOPA. Dene, exemplify, and discuss the independent protection layer (IPL) concept and discuss the applicability of LOPA in cases where the independence is violated. Compare the applicability of LOPA in determining SIL, and compare LOPA with alternative approaches (incl. risk graphs). If possible, this evaluation should be rooted in a practical case study.
discussed. A preferred approach is developed, and presented in Chapter 4, including description of each step and the basic concepts that are employed. The interface between HAZOP and LOPA is covered in Chapter 5. In addition the functionality of a software tool integrating LOPA and HAZOP is described. In Chapter 6 the applicability of the preferred LOPA approach suggested in Chapter 4 is evaluated in a case study. Finally, conclusions and recommendations for further work are given in Chapter 7.
quently. The SIL-requirement is then veried by calculating the PFD (Rausand and Hyland, 2004; Schnbeck, 2007). In Table 1.1 the PFD related to the four SILs for low demand of operation is presented. Standards do not require how the SIL should be determined to the SIFs, only that they have to be determined. Figure 1.1 shows the safety lifecycle used as the basic framework in IEC 61508 and IEC 61511. This framework makes it possible
Figure 1.1: Safety lifecycle (IEC 61508, 2003) to deal with requirements and activities in a structured manner. After the two initial phases, "concept" and "overall scope denition", the risk associated with the EUC is analyzed in the "Hazard and risk analysis"- phase. Techniques as checklists, failure modes and effects analysis (FMEA) and HAZOP may be used. The next step, which has a red box in Figure 1.1, is to specify the overall safety requirements in terms of safety functions and safety integrity which are needed to achieve the necessary risk reduction. It is during this activity the SIL is determined, and this activity / phase is of greatest importance. LOPA may be applied 4
during this phase, but other methods like risk graph and safety layer matrix are also applicable. In the next phase, "safety requirements allocation", the safety functions are allocated to one or more SIS. Although phase four is the most interesting in this case, phase three and ve will come into play, as they give the input and receive the output from phase four. All of these activities are carried out in the design phase prior to nal design and manufacturing (Rausand and Hyland, 2004; IEC 61508, 2003; Schnbeck, 2007).
Chapter 2
Table 2.1: Risk classication of accidents adapted from IEC 61508 Frequency Consequence Catastrophic Critical Marginal Neglible Frequent I I I II Probable I I II III Occasional I II III III Remote II III III IV Improbable III III IV IV Incredible IV IV IV IV
The next step is to determine the EUC-risk. Risk is a measure of probability and consequence. The EUC-risk consists of the unwanted consequence, and the demand rate on the system without protective features, i.e. number of times per year the unwanted consequence occur without the SIF. This can be estimated using quantitative risk assessment methods, e.g. fault tree analysis (FTA) or reliability block diagram (RBD) (IEC 61508, 2003). The nal step is to calculate the necessary risk reduction to meet the tolerable risk. This is obtained by dividing the number of times per year the SIF fail by the number of demands per year. The result is the acceptable number of times the SIF may fail per demand per year thus the needed probability of failure per demand, which is the PFD. The SIL requirement could be allocated further down to subsystems, e.g. by expert judgment (IEC 61508, 2003). A separator located topside on a platform or oating production, storage and ofoading vessel (FPSO), with a riser down to a subsea production system (SPS) consisting of X-mas tree (XT) and reservoir, could be used as an example. The EUC is in this case dened as the separator. The acceptable frequency of overpressure of the separator could be 106 /year, which could answer to category class III with critical consequence. Note that this is the acceptable frequency of a given unwanted consequence, which in this case is overpressure. The consequence could in some cases also be directly related to human harm. From the reservoir the demand rate on the system, without any protection systems, can be found. If this is estimated to be 25 demands/year, the approach gives: PFD Acceptable no. of times the SIF may fail / year 106 = = 4 107 No. of demands / year 25
This result is the acceptable frequency / demand, hence the probability of failure on demand. The protection system may consist of several sub-systems performing several SIFs, and the PFD may be allocated further down. In this case high integrity pipeline protection system (HIPPS), production shutdown (PSD), emergency shut down (ESD) etc. are such systems or functions.
Figure 2.1: Typical risk matrix modied for SIL determination adapted from (Marszal and Scharpf, 2002) If the consequence is one that could cause any serious injury or fatality on 8
site or off site, it could be categorized as serious. If the frequency of this outcome is expected to be > 102 , the assigned category is high. This consequence - likelihood pair would in Figure 2.1 give a SIL 3, but with further analysis required (Marszal and Scharpf, 2002). It is important to emphasize that the categorization and determination may lead to an unrealistic result. Other tools and methods may be used in conjunction with this method to improve the quality of the categories and the accuracy of the plotting (Marszal and Scharpf, 2002; IEC 61511, 2003).
Table 2.2: Frequency of hazardous event likelihood adopted from IEC 61511 Type of events Likelihood Qualitative ranking Events such as multiple failures of diverse instruLow ments or valves, multiple human errors in a stress free environment, or spontaneous failures of process vessels Events such as dual instrument, valve failures, or Medium major releases in loading / unloading areas Events such as process leaks, single instrument, High valve failures or human errors that result in small releases of hazardous materials *The system should be in accordance with this standard when a claim that a control function fail less frequently than 101 per year is made
Figure 2.2: Safety layer matrix diagram adapted from IEC 61511 (2003)
10
Figure 2.2 shows a typical safety layer matrix. The risk criteria are embedded into the diagram, and the methodology and categorization is similar to the risk matrix. The specic hazardous event likelihood and hazardous event severity classication is plotted. This results in one of the 9 columns in the gure. In order to determine the the nal box in the gure that contain the necessary SIL - the number of PLs must identied (IEC 61511, 2003). An example could be a process leak resulting in catastrophic consequence to personnel (several causalities). The hazardous event severity is categorized as serious. In Table 2.2 the occurrence of a process leak is classied with high likelihood. Two mechanical pressure relief devices were identied satisfying the PL criteria. In Figure 2.2 an event with serious consequence - high likelihood rating with two PLs, would require a SIL 2. If the number of PLs had been one, a SIL 3 and additional analysis would be required.
Table 2.3: SIL requirement table adopted from OLF 070 Safety function SIL Functional boundaries for given SIL requirement / comments Subsea ESD 3 Shut-in of one subsea well Isolate one subsea well The SIL requirement applies to a conventional system with owline, riser and riser ESD valve rated for shut-in conditions. Isolation of one well by activating or closing: - ESD node - Topside HPU and / or EPU - WV and CIV including actuators and solenoids - MV - DHSV including actuators and solenoids NOTE: If injection pressure through utility line may exceed design capacity of manifold or ow line, protection against such scenarios must be evaluated specically NOTE: If a PSD system is specied for a conventional system for safety reasons, the PSD functions shall be minimum SIL 1
Ref. A.13
12
Table 2.4: Classication of risk parameters adopted from IEC 61511 Risk parameter Category Classication Consequence (C) CA Light injury to persons CB Serious injury to one or more persons. Death of one person CC Death of several persons CD Catastrophic effect, very many people killed Frequency of presence in the FA Rare to more frequent exposure hazardous zone (F) (occuin the hazardous zone pancy) FB Frequent to permanent exposure in the hazardous zone Possibility of avoiding the conPA Possible under certain condisequences of the hazardous tions event (P) PB Almost impossible Frequency of the unwanted W1 A very slight probability that consequence (W) the unwanted occurrences occur and only a few occurrences are likely W2 A slight probability that the unwanted occurrences occur and few occurrences are likely W3 A relatively high probability that the unwanted occurrences occur and frequent occurrences are likely
13
quences are measured in the extent of injury to people, but also environmental or nancial target measures can be utilized (IEC 61511, 2003; Marszal and Scharpf, 2002). The occupancy parameter (F) indicates the fraction of time the hazardous area is occupied by personnel. F B indicates higher risk than F A , as the area is more frequently exposed. Usually, F A is selected if the hazardous area is occupied less than approximately 10% of the time IEC 61511 (2003). The possibility of personnel avoiding the hazard is incorporated in the parameter P . This parameter reects what methods the personnel have to identify and escape the hazard. In addition skill and supervision in process operation, and the rate of development of the hazardous event are taken into account. Two categories, P A and P B , are suggested and P B indicates the highest risk. A checklist of statements that must be true in order to select P A , can be utilized in the evaluation. Such statements are suggested in IEC 61511. The nal parameter is the demand rate parameter (W), which is the frequency per year of the unwanted consequence without the concerning SIF but with other safeguards operating. Also for this parameter higher parameter indices indicate higher risk, as they take less credit for risk reduction by other safeguards. W1 indicates that only a few occurrences are likely, and a demand rate less than 0.03 per year could t such description. W2 and W3 indicate that few occurrences or frequent occurrences are likely, and suitable demand rates per year could be 0.03 - 0.3 and more than 3, respectively. The choice of this parameter will affect the result, and care should be taken when selecting category (Baybutt, 2007; IEC 61511, 2003). Figure 2.3 shows a typical risk graph diagram. The path from left to right is decided by the selected risk parameters. The selected consequence, occupancy and possibility of avoidance categories result in an output row X . Each output row corresponds to three values of W . The selection of the demand rate W is the last step in determining the SIL. Higher W -parameter lead to a higher SIL. The tolerable level of risk is embedded in the boxes in the three columns at the right hand side, and the choice of these must support the company risk criteria (Marszal and Scharpf, 2002; IEC 61511, 2003). If the separator example, as explained in section 2.1, is employed - the reasoning will be as follows: If the likely consequence is evaluated to be serious injury to one or more persons, C B is selected. Then, F A is chosen because the area could be rare to more frequent exposed to personnel. It is possible under certain conditions to avoid the consequences, which indicates that parameter P A should be used. The combination of these risk parameters result in output row X 2 . It is a relative high probability that the unwanted occurrence takes place and the demand rate category is set to W3 . In Figure 2.3 this results in a SIL 1 requirement.
14
15
Table 2.5: Example calibration adapted from IEC 61511 Risk parameter Classication Consequence (C) C A Minor injury Number of fatalities Can be calculated as: No. of people present when the area exposed to the hazard is occupied vulnerability to the identied hazard V = 0.01 (small release of ammable toxic material) V = 0.1 (large release of ammable or toxic material) V = 0.5 (As above but also a high probability of catching a re or highly toxic material) V = 1 (Rupture or explosion) Occupancy (F) Percentage of time the exposed area is occupied during a normal working period Possibility of avoidance (P) CB 0.01 < No. of fatalities < 0.1
CC
CD
FA FB
PA
Hazard can be prevented by operator taking action, after he realizes SIS has failed to operate. Refer certain conditions (given in IEC 61511-3) Adopted if conditions do not apply Demand rate < 0.1D per year 0.1D < Demand rate < 10D For Demand rate> 10D, higher safety integrity shall be needed
16
According to Marszal and Scharpf (2002) potential loss of life (PLL) ranges could also be used as a measure of the consequence. PLL is the expected number of fatalities within a population during a specied period of time (NORSOK Z-013, 2001). Note that care should be taken if PLL is chosen as a measure, because it incorporates both probability and consequence. When assigning the other risk parameters it is important to make sure that the consequence parameter is considered independent (Marszal and Scharpf, 2002). The parameter F is often measured by the percentage of time the area, that is exposed to hazard, is occupied. F A should be used if the parameter value is less than 0.1 (IEC 61511, 2003; Marszal and Scharpf, 2002). The avoidance factor P A is selected if all conditions stated in IEC 61511-3 are satised. P B is selected if not (IEC 61511, 2003). The demand rate (W) is the number of times per year that the hazardous event would occur in the absence of the SIF under consideration. In Table 2.5 ranges to the different categories are assigned. D is a calibration factor that should make the risk graph result in a level of residual risk that is tolerable. It is important that issues not are accounted for several times, making the result erroneous. Documentation of the calibration process with references is necessary, and should be done with care (Marszal and Scharpf, 2002; IEC 61511, 2003). When the calibration process is nished, and the parameters decided. The risk graph is used to determine the SIL. The demand rate, occupancy and possibility of avoiding the consequence of the hazardous event, represents the frequency of the unwanted consequence. In combination with the unwanted consequence the frequency constitutes the risk without the SIF in place. The input in each box in the risk graph must be in accordance with the tolerable risk (IEC 61511, 2003; Marszal and Scharpf, 2002). The separator example as referred to in the previous section could again serve as an illustration. In this case the vulnerability measure is estimated to be equal to 0.5. Overpressure is severe and results in large release of ammable material with a high probability of catching a re. If the number of people present when the area is occupied is 2, the resulting number of fatalities is 1 and class C C is selected as the consequence severity. One operator does maintenance work or supervision approximately 45 minutes per day, leading to that the exposed area is occupied less than 10% of the time giving the occupancy class F A . The conditions regarding the possibility of avoidance are satised and P A is selected. The calibration factor D is set to 4. The demand rate is estimted to 20 demands per year. This is less than 40 and greater than 0.4 which corresponds to W2 . The SIL is determined as for the qualitative risk graph, and results in a SIL 2 requirement.
17
Chapter 3
LOPA
3.1 What is LOPA?
LOPA was introduced in the 1990s, and has recently gained international popularity. LOPA is referred to in literature as both a simplied risk assessment technique and a risk analysis tool. Capital improvement planning, incident investigation, and management of change can be found as additional applications. LOPA is a exible tool which can be used in different contexts and applications making it confusing to understand what it really is. The application under consideration is LOPA as a SIL determination tool.
Figure 3.1: Risk analysis procedures adopted from Rausand and Hyland (2004)
18
According to Marszal and Scharpf (2002) LOPA can be viewed as a special type of event tree analysis (ETA), which has the purpose of determining the frequency of an unwanted consequence, that can be prevented by a set of protection layers. The approach evaluates a worst-case scenario, where all the protection layers must fail in order for the consequence to occur. The frequency of the unwanted consequence is calculated by multiplying the PFDs of the protection layers with the demand on the protection system (represented as a frequency). Comparing the resulting frequency of the unwanted consequence with a tolerable risk frequency, identies the necessary risk reduction and an appropriate SIL can be selected (Marszal and Scharpf, 2002; CCPS, 2001). LOPA is a semi-quantitative method using numerical categories to estimate the parameters needed to calculate the necessary risk reduction which corresponds to the acceptance criteria (CCPS, 2001). In a quantitative risk assessment (QRA) mathematical models and simulations are often used to estimate the extent or escalation of damage, e.g. toxic diffusion, explosion expansion or re escalation. In addition, FTA or other methods are used to calculate the frequency of the accidental event (Rausand and Hyland, 2004). In LOPA, simplications, expert judgment and tables are used to estimate the needed numbers (CCPS, 2001). LOPA usually receives output from a HAZOP or a hazard identication study (HAZID) and often serve as input to a more thorough analysis as a QRA. Figure 3.1 is often referred to as the bow-tie and is a common gure to describe risk analysis. It shows the accidental event which is linked to the causes and the consequences, and the methods which may be applied in the different phases. An ETA focuses on the consequence spectrum not on the causal analysis, implying that LOPA is placed in column (c) to the right in the gure. On the other hand LOPA is not as in-depth as would be expected from a consequence analysis and does have a close interaction with HAZOP suggesting that it should be positioned more to the middle (column b). The nal position is somewhere in between. Often, an "onion" as the one in Figure 3.2 is used as an illustration of the protection layers in LOPA. The system or process design has protection layers including basic process control system (BPCS), critical alarms and human intervention, SIFs, physical protection and emergency response. BPCS is the control system used during normal operation and sometimes denoted as the process control system (PCS). Input signals from the process and / or from the operator are generated into output which make the process operate in a desired manner. If the control system discovers that the process is out of control (e.g. high pressure) it may initiate actions to stabilize the temperature (e.g. choking the ow) (CCPS, 2001; IEC 61511, 2003). Alarms monitoring certain parameters (e.g. pressure and temperature) are considered another protection layer. When the alarm is tripped, the operator may intervene to stop the hazardous development. Note that the alarm system has to be wired to another loop than the BPCS in order to be independent (CCPS, 2001; IEC 61511, 2003). 19
20
Rausand (2004) describes a SIS as a system comprising sensors, logic solver(s), and actuating (nal) items, and can be looked upon as an independent protection shell for machinery or equipment. A SIS implements the wanted safety function SIF. In LOPA, SIFs are considered as protection layers. Physical protection include equipment like pressure relief devices. In a separator this may be a rupture disc which blows-off pressure if the pressure is too high. Post release protection is physical protection as dikes, blast walls etc. These have their function after the release or explosion has occurred. Both of these types of physical protection are considered protection layers in LOPA (CCPS, 2001; The Dow chemical company, 2002; ACM Facility Safety, 2006). If an accident occurs, procedures, evacuation plans, equipment and medical treatment help the exposed personnel to escape, or to mitigate damage / injury. Such measures are classied as plant and community emergency response, and are considered the nal protection layer (CCPS, 2001; The Dow chemical company, 2002; ACM Facility Safety, 2006). LOPA incorporates the reliability of the existing barriers to determine the reliability of the needed SIF. Note that LOPA does not determine what protection layers to implement, only the needed performance. In some cases, a SIF is already present, and the SIL of an additional SIF shall be determined. How many and which protection layers that are required, depend on the situation at hand (CCPS, 2001; The Dow chemical company, 2002).
21
Process deviation
According to NORSOK Z-013 (2001) an accidental event is dened as event or chain of events that may cause loss of life, or damage to health, the environment or assets. Another denition is the rst signicant deviation from a normal situation that may lead to unwanted consequences (Rausand and Hyland, 2004). In IEC 60300-3-9 (1995) they use the term hazardous event instead of accidental event. In the HAZOP study the accidental event is referred to as a process deviation. The term process deviation is from now on used and the denition from Rausand and Hyland (2004) is acknowledged as adequate.
Impact event
CCPS (2001) describe an impact as: The ultimate potential result of a hazardous event. Impact may be expressed in numbers of injuries or fatalities, environmental or property damage, or business interruption. According to IEC 61511 an impact event is equivalent to the consequence in the HAZOP study. This implies that the impact event is the unwanted consequence of the hazardous event or accidental event which is referred to as a process deviation. Impact event is closely related to the unwanted consequence, and the question which remains is what degree of consequence an impact event represents, e.g. end-consequence or intermediate consequence. From now on it is chosen to dene impact event as the rst sign of harm to people, environment or assets. Examples are a car crash or an explosion due to overpressure of a separator. The impact event may lead to an end-consequence which may include fatalities / injury, environmental damage or economic loss. For the impact event: car crash, the process deviation could be: car starts to slide. The car is out of control and if not the situation is brought back in control, the impact event occurs. For the impact event: explosion due to overpressure of separator, the process deviation could be high pressure up-stream separator.
22
Initiating cause
The initiating causes are the reasons why the process deviation occur, not the most basic underlying root-causes. The initiating causes are the results of the root causes. CCPS presents three types of initiating causes: External events, equipment failures and human failure. External events are earthquakes, hurricanes and other external shocks. Equipment failures are control system failures or mechanical failures. Human failures are either error of commission (failure to observe or respond appropriately) or error of omission (failure to execute the task properly or not doing it at all) (CCPS, 2001). For the car crash example an initiating cause could be slippery road.
Scenario
According to CCPS (2001) a scenario describes a single cause - consequence pair from the HAZOP In LOPA terminology this is a single initiating cause - impact . event pair. This implies that a scenario consists of more than just the impact event. But should not a scenario comprise even more? A more appropriate denition of a scenario would include more than one cause. The scenario denition is extended to describing the development from a process deviation to an impact event, including the causes leading to the process deviation.
An airbag-system is dened as a SIS. The airbag inates when a set of sensors send signals to a logic solver which initiates the ination. If the impact event is a car crash, this protection system will function subsequent to the occurrence of the impact event. It limits the extent of damage rather than mitigating the frequency of the impact event. In other cases SIFs may be placed previous to the impact event. If the impact event is overpressure of separator, SIFs with the intention of closing valves and shutting down the system, are vice. The SIF tries to prevent the impact event from occurring, thus reducing the frequency.
Figure 3.3: Relation between initiating causes, impact event, process deviation and IPLs Figure 3.3 shows the relation between the initiating causes, impact event, process deviation and the PLs listed in IEC 61511. It shows how all the terms t together and the gure and the denitions given found the basis of the understanding of LOPA. Initiating causes may be the sources of a process deviation which may lead to an impact event. The impact event may result in an end-consequence. In order to prevent the end-consequence PLs are introduced. Most of these have the objective of limiting the frequency of the impact event, but PLs to minimize the extent of damage may also be put in place. Note that the worst-case scenario is assumed. All the PLs have to fail in order for the endconsequence to occur thus the analogy to a branch in an ETA. The symbol * means that the PL may be credited as a IPL. The concept of IPL is discussed in the case study in Chapter 6. Note that the starting point of the LOPA analysis is the impact event. After this is identied, the causes are identied and the protection layers evaluated.
24
Impact event
The potential impact event is described in the rst column in the table. This is the consequences determined in the HAZOP study.
Severity Level
In the next column the severity level of the impact event is entered, and levels of Minor (M), Serious (S), or Extensive (E) are suggested, which is the same classication as in the risk matrix approach and safety layer matrix approach. Note that in the risk graph approach the consequence levels are ranging from C A to C D where C D is the most severe. 25
Table 3.1: Important columns in the LOPA report / worksheet adapted from IEC 61511 (2003)
3 Initiating cause Initiation General likeliprocess hood design BPCS Alarms etc. Additional mitigation (restricted access) High integrity additional mitigation (dikes, pressure relief) 0.08 1.7 103 Intermediate event likelihood 4 5 Protection layers 6 7 8 9 SIF integrity level 10 Mitigated event likelihood
Severity level
26
0.1 1 1 1 0.21 Pressure control failure causing blocked outlet. Spurious trip of the XV in addition to PV control failure 0.001 1 1 1 0.21 0.08
3 105
Pressure above design pressure of separator. Rupture of separator and possible ignition. Leading to the endconsequence: No. of fatalities between 1 to 10. Assuming no slug entering.
1.7 105
1.75 102
3 107
1.717 103
SIL 1
3.03 105
27
Total risk
The last step could be to calculate the total risk with respect to each specic impact event. The mitigated event likelihood for all the events rated as serious or extensive, and that present the same hazard are added up. This step could include additional probabilities, if not accounted for in the previous steps.
Example
In Table 3.1 some rows are lled in. The example is overpressure of a topside separator taken from Harsem Lund (2007). The HAZOP identied that pressure above design pressure of the separator could cause rupture and possible ignition, leading to a number of fatalities between 1 and 10. Further, two initiating causes with initiating likelihoods were identied. General process design, BPCS and alarms are not given credit as PLs, thus given the value 1. Additional mitigation (restricted access) is estimated to 0.21, due to an assumed ignition probability of 0.3 and occupancy of 70%. IPL additional mitigation is estimated to 0.08, due to the assumption that 8 PSVs must be running to avoid pressure build-up above test pressure. The intermediate event likelihood is now calculated for the initiating events, and the corporate / company criteria for this severity level (E) is 3 105 events per year. The sum of the intermediate event likelihoods are 1.717 103 events per year. Dividing 3 105 by 1.717 103 give a necessary risk reduction of 1.75 102 , which is a SIL 1 requirement. The mitigated event likelihood becomes 3105 and 3107 events per year, which give a total of 3.03105 events per year. Note that both in the table and in the calculations accurate numbers are used with several decimals. This is done for illustration only. Usually, two decimals are appropriate. 28
Figure 3.4: Extract of SIL determination methodology from Ellis and Wharton (2006)
30
Figure 3.5: Aker E&T methodology adapted from Nordhagen (2007) The SIF under consideration is assumed not in place during the analysis, and Acc. freq the formula used in the evaluation of the LOPA results can be written: Total IEL . If the fraction between the accepted frequency (Acc. freq.) and the calculated total intermediate event likelihood (IEL) is greater or equal to 1, the team shall evaluate whether the SIF shall be removed or not. This implies that the resulting frequency of the end-consequence, without the proposed SIF, is equal or less than the accepted frequency. The analysis team can either remove the SIF, because the system is evaluated safe enough, or keep the SIF but without any reAcc. freq quirements to the safety function. If 1 > Total IEL > 0.1, SIL 0 is selected. This implies that the intermediate event likelihood is between 1 and ten times higher than the acceptable value. No further evaluation is necessary, but the SIF is Acc. freq kept in order to achieve some risk reduction. If 0.1 > Total IEL > 0.01, which is equivalent to SIL 1 in IEC 61511, SIL 1 is selected and no further evaluation is Acc. freq done. SIL 2 is selected if 0.01 > Total IEL > 0.001. If the analysis result is SIL 3 (0.001 > Total IEL > 0.0001), a QRA is initiated to further evaluate the SIF (Nordhagen, 2007).
Acc. freq
31
Chapter 4
Preferred approach
4.1 Flowchart
When performing LOPA, a clear methodology and approach is needed to make the team focus on the analysis and not on how to do the analysis. The preferred approach is a developed recommended approach based on the worksheet presented in IEC 61511, reproduced in Table 3.1. It is modied taking the views presented in Sections 3.5 and 3.6 into consideration using the terms described in Section 3.2. The steps in Figure 4.1 are described in the paragraphs below.
32
33
Table 4.1: Target mitigated event likelihood for safety hazards adapted from Nordhagen (2007) Severity level Safety consequence Target mitigated event likelihood CA Single rst aid injury 3 102 per year CB Multiple rst aid injuries 3 103 per year CC Single disabling injury or mul- 3 104 per year tiple serious injuries CD Single on-site fatality 3 105 per year CE More than one and up to three 1 105 per year on-site fatalities
34
f IEL,i = f i
j =1
P F D ij
(4.1)
35
Table 4.2: Typical frequency values assigned to initiating CCPS (2001) Initiating event Frequency range from literature (per year) Pressure vessel residual 105 to 107 failure Piping residual failure- 105 to 106 100m-full breach Piping leak (10 % section)- 103 to 104 100m Atmospheric tank failure 103 to 105 Gasket / packing blowout 102 to 106 Turbine diesel engine 103 to 104 overspeed with casing breech Third party intervention 102 to 104 (external impact by backhoe, vehicle etc.) Crane load drop 103 to 104 per lift Lightning strike 103 to 104 Safety valve opens spuri- 102 to 104 ously Cooling water failure 1 to 102 Pump seal failure 101 to 102 Unloading / loading hose 1 to 102 failure BPCS instrument loop 1 to 102 failure Regulator failure 1 to 101 Small external re (aggre- 101 to 102 gate causes) Large external re (aggre- 102 to 103 gate causes) LOTO (lock-out tag-out) 103 to 104 per opporprocedure failure tunity Operator failure (to ex- 101 to 103 per opporecute routine procedure, tunity assuming well trained, unstressed, not fatigued)
causes adapted from Example of a value chosen by a company 1 106 1 105 1 103 1 103 1 102 1 104
1 102
1 104 per lift 1 103 1 102 1 101 1 101 1 101 1 101 1 101 1 101 1 102 1 101 per opportunity 1 102 per opportunity
36
Table 4.3: PFDs for IPLs adapted from CCPS (2001) and BP (2006) IPL PFD BPCS, if not associated with the initiating 1 101 event being considered Operator alarm with sufcient time avail1 101 able to respond Relief valve 1 102 Rupture disc 1 102 Flame / detonation arrestors 1 102 Dike / bund 1 102 Underground drainage system 1 102 Open vent (no valve) 1 102 Fireproong 1 102 Blast-wall / bunker 1 103 1 Identical redundant equipment 1 10 (max credit) Diverse redundant equipment 1 101 to 1 102 Other events Use experience of personnel SIS that typically consist of single sensor, 1 101 to 1 102 logic and nal element SIL 1 2 SIS that typically consist of multiple sensors, 1 10 to 1 103 multiple channel logic and multiple nal elements (for fault tolerance) SIL 2 3 SIS that typically consist of multiple sensors, 1 10 to 1 104 multiple channel logic and multiple nal elements. Requires careful design and frequent proof tests SIL 3
37
Equation 4.1 shows the formula to calculate the intermediate event likelihood, f IEL,i , for a certain initiating event, i . Let the number of IPLs range from 1 to J, and each IPL have a PFD denoted P F D ij . The product of the PFDs is multiplied by the frequency of initiating event i , f i . The intermediate event likelihood is the expected frequency of the consequence with the credited IPLs in place.
f IEL,total =
i =1
f IEL,i
(4.2)
diate event likelihood) must be eliminated by the SIF, hence the needed SIL. By dividing the target mitigated event likelihood by the total intermediate event likelihood, the PFD responding to the SIL is found. Equation 4.3 show how the acceptable frequency, f Acc , is used to determine the necessary risk reduction. The target mitigated event likelihood is denoted f TMEL . SIL = neccesary risk reduction = f Acc f IEL,total = f TMEL f IEL,total (4.3)
Screen by SIL
If the resulting SIL > SIL 3, a QRA should be initiated. A high SIL requirement is stricter demanding higher reliability and performance of the SIS. LOPA includes uncertainty, and for SIL requiring high integrity a more thorough analysis is recommended. If SIL < SIL 4, the owchart loop is nished. Note that the screening criterion in this case is SIL > 3, and the criterion should be adapted to the situation at hand. In some cases SIL > SIL 2 is more applicable.
The calculation is done for all rows in the LOPA worksheet related to the concerning impact event. Note that the mitigated event likelihood is the same as the TMEL if the exact number of the calculated SIL is employed. It then serves as a check whether the acceptable risk is satised or not with the current calculated SIL. This is the last step in the LOPA procedure. If there are more impact events, these shall be evaluated. Then, the analysis team go back to the pick impact event - phase. But, this is not implemented in the owchart. The team usually continue the analysis until all process deviations from the HAZOP are evaluated.
39
Only safety aspects have been considered. Usually economical and environmental issues are also evaluated during a LOPA analysis. Such levels may be determined to the SIF, and the integrity level giving the highest integrity level chosen. Note that this requires additional acceptance criteria (BP, 2006; Nordhagen, 2007). In the approach it is chosen to select an impact event before it is screened by severity level. Another possibility is to do this the other way around. Another issue is how to express and transmit the requirements to the vendors or to the further allocation process. If the LOPA result in a required PFD 8 103 giving SIL 2, and the suppliers design their product with a designed PFD of 1 102 the outcome may be that the system do not fulll requirements. Important issues that must be covered in the interface work packages by the system vendor are: What is the requirement? How is it expressed?
40
Chapter 5
Table 5.1: Process HAZOP worksheet adopted from Rausand (2005) Rev. no.: Page: Date: Meeting date:
Study title: Drawing no: HAZOP team: Part considered: Design intent: Material: Source: Deviation Possible causes Consequences Activity: Destination: Safeguards Comments
No.
Guideword
Actions required
Actions allocated to
42 Pressure above design pressure Failure of BPCS, high level, external re Release to environment
Separator
High
Figure 5.1: Relationship between HAZOP and LOPA worksheets Figure 5.1 shows the interaction between the HAZOP and LOPA worksheets. LOPA is performed from the left to the right in the worksheet and receives input from the HAZOP during the analysis. Note that the HAZOP worksheet in the gure is somewhat different from the one presented in Table 5.1, as it incorporates severity level (S) and likelihood (L) of the HAZOP consequence (IEC 61511, 2003; Dowell and Williams, 2005; CCPS, 2001). If the (process) deviation in the HAZOP is high pressure, the HAZOP consequence could be: release to environment. The impact event would then also be release to environment because the consequence identied in the HAZOP answers to the impact event in LOPA. The possible causes from HAZOP are the initiating causes in LOPA (Dowell, 1998; IEC 61511, 2003). Further transformation or evaluation of causes and subcauses may be necessary and should be expected. The safeguards identied in HAZOP are denoted PLs in LOPA. Note that all IPLs are safeguards, but not all safeguards are IPLs (CCPS, 2001). What IPLs to include and in which column in the LOPA worksheet they should be implemented, requires evaluation. The actions required column in the HAZOP worksheet may include many things, e.g. new recommended safeguards and work tasks. New recommended safeguards could either be modications to existing PLs and design or new protection layers, e.g. SIFs (CCPS, 2001). In Figure 5.1 the arrows are blue and dotted which indicates that the information from the
43
columns including safeguards and actions required can not be transformed directly. The HAZOP consequence severity ranking (S), and the HAZOP consequence likelihood (L) can be transformed to LOPA, and impact event severity level and initiating cause frequency are the applicable terms in LOPA with associated columns (Dowell and Williams, 2005). The HAZOP worksheet does not necessarily include these columns. There are several views of what columns are included in the HAZOP according to what the organization or author prefer. The HAZOP may either include severity ranking and likelihood of the HAZOP consequence, or just the severity ranking. Another possibility is that HAZOP has none of these, as in Table 5.1. This makes it difcult to know how this part of the interface will be. If the HAZOP worksheet has both the severity and likelihood ranking it is not certain that this categorization is used, adding another issue to the current problem. These issues must be evaluated prior to a LOPA and the blue dotted lines in Figure 5.1 indicate that evaluation is needed when transferring data to LOPA. It is suggested that the same risk matrix is used for HAZOP as for the LOPA with related risk acceptance criteria. At least the severity ranking should be identical, because the initiating cause frequencies in LOPA usually are obtained from tables and / or expert judgment. In BP (2006) such a common risk matrix including risk acceptance criteria is presented.
LOPA are performed by using an integrated software tool, several of the phases in Figure 4.1 may be performed almost automatically, e.g. data gathering and documentation and transformation of data. In addition, the calculation phases are performed more efciently. The objectives of a HAZOP / LOPA tool are: Reduce the time spent on the analysis (typing / rework, data collection, meeting activity, calculations) Making it easier to quality check the results as the calculations/analysis are conducted in real time Increased quality of the analyses Specications are vital in order to make a consistent and thorough software program. These include what exactly the program has to do, and what characteristics it needs. The basis for the specication is the objectives given above, and the previous section. The specication of the proposed HAZOP / LOPA program is as follows: HAZOP worksheet cells equal to cells in LOPA report, and automatic transformation of data. This applies to: HAZOP consequence = LOPA impact event HAZOP possible causes = LOPA initiating causes HAZOP consequence likelihood = LOPA initiating cause frequency (Note: may need adjustment) HAZOP consequence severity level = Severity level (Note: May need adjustment) Calculate results based on data: Intermediate event likelihood Mitigated event likelihood SIL Provide database with risk acceptance criteria Interface with additional databases: Initiating cause frequency PFDs of IPLs Automatically include risk acceptance criteria in the calculations User interface quality assurance:
45
Interactive SIL selection which allows the user to select a SIL by clicking and see the impact on the mitigated event likelihood on the screen Rectify erroneous input from user Modify input / help to specify the units Reminders / pop-up boxes Help function with guidelines describing how to implement LOPA. This should include a owchart, explanation of terms and examples. The help function database should be searchable. The planned software platform is a Microsoft Excel-workbook in combination with Visual Basic (VB) and macros.
Step 1 - HAZOP
The cells containing the HAZOP consequences are set equal to the ones that shall contain the impact events. In excel this could be done by either creating a VB macro which copies the information, or by dening the cell information equal directly in Excel. The same applies to the possible causes in HAZOP. The risk matrix sheet contains the classication of the HAZOP consequence and impact event severity. The chosen severity level is transferred in the same manner as the HAZOP consequence. To initiate the process of transferring the data, a command button which is constantly visible is placed in the bottom of the LOPA sheet. This is named Transfer HAZOP data, and when clicked the rows containing the data are transferred or copied. After all the cause and impact event data are transferred, the impact events are screened by severity level. Those impact events that are classied above a certain severity level are colored red because the initiation of a QRA is suggested. The encoding solution is VB in addition to macros. Some impact events are similar, and combining several impact events is relevant. This is not taken into account in this program illustration.
46
Step 4 - Calculation
The intermediate event likelihood is calculated directly in Excel by formulas, i.e. cell 10 = product(cell 4;cell 9). The TMEL is specied in the risk matrix sheet. Corresponding to which severity level is selected the program implements the correct value of TMEL in the mitigated event likelihood cell in the LOPA sheet. A simple IF sentence could do this automatically. A command button called Calculate SIL initiates the SIL calculation. The IELs for each initiating cause related to the same impact event is added. A set of IF sentences count how many rows that are related to the same impact event and calculate the total IEL for the respective impact event. The value of the total IEL for the impact event is divided by the TMEL value, and the result is the needed SIL. IF sentences containing text strings evaluates the results and prints a message to the user in the cell, i.e. SIL 2 or No SIS necessary. This part of the program requires extensive VB encoding. The program has to remember parameters, and use these to calculate the correct columns and implement the results in the correct cells.
event likelihood is again calculated, and a pop-up box noties the user if this PFD fulll the TMEL requirement. A screening process based on the calculated SIL is benecial, as higher SILs may require the initiation of a QRA. The program may color the entire row in a certain color if the SIL is higher than a specied limit.
48
Chapter 6
49
50
consist of a pressure transmitter (PT) and the control valve (CV). The process shutdown valve (PSDV) and pressure safety transmitter (PST) is the only shutdown possibility topside denoted PSDtopside . When the PST detects high pressure the PSDV closes. The valve is hydraulically or air operated, and a logic solver interprets the signal from the PST. Usually, additional barriers are located in the turret, but for simplicity,these are neglected. A mechanical pressure relief device is placed in the separator called production shutdown valve (PSV). This is either a spring-loaded device or a pilot operated device that allows gas to go to are if the pressure exceeds a certain limit. The subsea control unit (SCU) and the hydraulic pump unit (HPU) are located topside in the FPSO. The HPU is basically a pump that supplies hydraulic uid to the subsea control module (SCM) and the HIPPS control module (HCM), which again provides hydraulic pressure to the valve actuators. The SCU includes the logic solver which interprets the signals from the pressure and temperature transmitters, and two surface power and communications units (SPCU) or circuit breakers. In the umbilical electronic signals (to and from the SCU), hydraulics (from the HPU) and scale and hydrate (methanol) inhibitors are transported from the FPSO to the production system on the seabed.
Choke module
The production choke valve (PCV) has the objective of throttling the ow to control the temperature and the pressure. The choke module is the process control system located subsea. It is important that the ow from different XTs have the same pressure to prevent one well from producing into another.
X-mas tree
The XT is an assembly of valves, spools and ttings for the oil well. The down hole safety valve (DHSV) is the valve closest to the reservoir, but not used as a shutdown o ption in case of overpressure. The production master valve (PMV) and the production wing valve (PWV) are the next two valves in the production pipeline, and possible shutdown options. The crossover valve (XOV) is an annulus service line. It can relief a potential pressure buildup in annulus, by injecting the pressure in the production ow. In addition to the valves described above the XT provides scale inhibitor and / or Methanol inhibitor injection lines. Note that these are neglected in the schematic. The XT valves are hydraulically held. The pressure from the uid column resist a spring force in the valve actuator to keep the valve open. In order to shut the valve the hydraulics are bled off and the spring makes the valve go to closed position. The valve is fail safe because it goes to a safe position (closed position) in case of a failure (leakage in the hydraulic system, spring collapse etc.). When closing the valve the hydraulics may either be bled off in the subsea
51
control module (SCM) or to sea. Another possibility is to turn down the pump in the HPU in order to create a pressure drop. The subsea control module (SCM) is together with the HPU / SCU the susbea control system. Note that a process control system (like the choke module) controls the ow, while the subsea control system is used to control the valve operation on the XT. The subsea control system contains hydraulics and accommodates two subsea electronic modules (SEMs) which is the electronic part of the control system. When the PTs used as reference detect high pressure, signals are sent to the SEMs which transforms the signals into a rating. This rating (electronic pulse) is sent to the logic solver in the SCU. If the voting in the logic solver (i.e. 2oo4) decides to initiate a shutdown, initiation signals are sent back to the SEMs. The SEMs control change-over valves that are held electrically. When the logic solver commands a shutdown the valves will switch, enabling hydraulics from the actuator to bleed off in an internal loop in the SCM. PSDsubsea is initiated automatically and either the PMV or the PWV and the XOV must be closed. Figure 6.1 shows that the well is isolated by performing at least one of the two shutdown options. Usually, both options are used during a PSDsubsea shutdown. The PT / TT downstream the PCV are used as reference. If high pressure is experienced at this point the PSD is initiated.
HIPPS
The HIPPS is located in the manifold. The manifold is an arrangement of piping or valves designed to control, distribute and monitor the ow. Several XTs may be mounted directly on the manifold, or be placed as satellite trees. The manifold has inhibitor injection lines and pipeline inspection gauge (PIG) launch, to prevent hydrate formation. The objective of the HIPPS is to protect the pipeline from the manifold to the FPSO. They have their own control system called the HIPPS control module (HCM). This device is similar to the SCM. Note that the HCM is independent of the SCM. HIPPS shutdown is initiated automatically. The 2 HIPPS valves on the manifold are closed if high pressure is experienced by the PT / TT between the valves or downstream the valves. Another possibility is that one set of transmitter controls one HIPPS and the other the last HIPPS valve.
Experts were involved in the hazard identication study, and all members involved in the LOPA as well as in previous studies fulll requirements regarding competency. The HAZOP preformed previously to the LOPA is assumed well documented and sufcient, and the data adjusted to t with the LOPA analysis.
Initiating causes
Fluid slug congestion, choke control error due to human error, and choke collapse are the initiating causes identied. Slug congestion is accumulation of uid / hydrates / scale leading to a blockage and pressure build-up upstream the blockage point. When this substance yields, the uid accelerates and creates overpressure in the separator. Choke collapse is most likely a hardware valve failure, e.g. fatigue. Choke control error is erroneous operation of the choke control where the operator make the wrong response or fails to act at all. All these initiating causes lead to potential overpressure of the separator. The initiating cause frequencies are found from tables, and the chosen values showed in Table 6.1 The frequency of slug congestion differs from eld to eld, and deTable 6.1: Initiating cause frequencies Initiating cause Data source Fluid slug congestion Expert judgment / Ormen Lange Choke control, human error BP/CCPS Choke collapse / error OREDA
Frequency 5 times per year 1101 / per opportunity to act 11.3 per 106 hours
pends on the composition of the uid and the eld construction. In the Ormen Lange project 5 demands was identied by expert judgment, which is assumed applicable. The human error (choke control) is assumed to be a routine task. In order to estimate the frequency the value in the table has to be multiplied with the number of opportunities / demands per year. The choke task is assumed to be executed approximately 20 times per year giving a resulting frequency of 2 times per year for this initiating cause. The OREDA estimate is given in hours, and assuming 8760 hours per year gives a frequency of 9.9 102 per year.
state that the independence requirement claims that the IPL must be independent of the occurrence, consequence of the initiating event, and the failure of any component of an IPL already credited. Two approaches (A and B) are suggested, where B allows IPLs to physically share components and A restrains this conguration. But it is assumed that the logic solver will not be the source of failure, which imply detectors or nal element to fail more frequently. If two IPLs share the same sensor(s) or nal element(s) neither of the approaches justify more than one IPL given credit. Note that approach A eliminates a larger extent of CCFs.
in the concerning case chosen to credit both PSD topside and subsea as a SIL 1 risk reduction. Table 6.2: IPL PFDs Data source CCPS table BP / Aker Solutions BP / Aker Solutions CCPS table / BP CCPS table / BP BP / Aker Solutions
IPL PSV Topside PSD (PSDV) Subsea PSD BPCSsubsea (PCV) BPCStopside (CV) HIPPS
PFD 1 102 0.1 (SIL 1) 0.1 (SIL 1) 1 101 1 101 5 104 (SIL 3)
The HIPPS and the PSD subsea do have different PTs and actuating items, but they do share the same HPU / SCU. The XT and HIPPS valves will go to safe state if the HPU / SCU fails to provide hydraulic pressure. The only way this unit may cause an error is if the logic solver in the SCU fails in such way that the system does not initiate shutdown when a shutdown is needed. The issue that arise is how strict the independence requirement should be, and which of the two approaches presented in the previous paragraph to use. Even if they share logic solver both lead to risk reduction. With this basis approach B, which is described in the previous section, seems fair to use. It is important to emphasize that a PL can be an IPL for one initiating cause - impact event pair, and not for another. The IPL PFDs are from different data sources, and Table 6.2 show the selected values.
55
Figure 6.2: Relation between initiating causes, impact event, process deviation and PLs
Initiating cause - impact event pair 1: Choke control human error overpressure
The operator controlling the PCV has already failed and the PCV can not be credited. Another question is whether the BPCS topside can be credited if the operator and BPCSsubsea fails. The BPCS topside have sensors and actuating items topside, which is far from the PCV located subsea. It is assumed that even if the operator is involved in the failure of the PCV, the topside BPCS will still function. The credited IPLs are: Topside PSD (PSDV) PSV (mechanical relief device) HIPPS Subsea PSD BPCStopside (CV) The formula for calculating the intermediate event likelihood becomes: Initiating cause frequency PFDCV PFDHIPPS PFDPSDV PFDsubseaPSD PFDPSV occupancy ign. prob. = 2 101 5 104 0.1 0.1 1 102 0.3 0.5 = 1.5 109
not certain that the PSD is able to prevent a pressure build-up due to the short distance between the XT valves and the choke module. There are several ways to interpret these issues. It is chosen to not give credit to the susbea PSD due to the response time. The following IPLs given credit are: Topside PSD (PSDV) PSV (mechanical relief device) HIPPS BPCStopside (CV) The formula for calculating the intermediate event likelihood becomes: Initiating cause frequencyPFDCV PFDHIPPS PFDPSDV PFDPSV occupancyign. prob. = 9.9 102 101 5 104 0.1 102 0.3 0.5 = 7.42 1010
57
The question is now what SIL to set as the requirement. The necessary risk reduction is between 102 and 101 , and a SIL 2 is applicable. A conservative approach is chosen and a SIL 2 is set as the requirement. The next question is what PFD value a SIL 2 requirement constitutes, i.e what requirement to pass on to the SIS vendor. If the SIS vendor provides a system fullling SIL 2, but which only gives a risk reduction of 5 102 the system is not safe enough. To solve this potential issue an additional PFD requirement is set to 1102 . The nal requirement is SIL 2, where the new safety system must have a specic P F D 1 102 . The chosen PFD requirement is implemented in worksheet, and the mitigated event likelihood is calculated. All values are within requirements, and the analysis is nalized.
58
59
Chapter 7
authors also use screening tools, i.e. risk graph, prior to, or embedded in the LOPA-process. Compared to the approaches discussed in Section 3.5, the Aker E&T LOPA approach is an overall methodology, not taking the proposed SIF implicit into account. Often the customer methodology also (e.g. Statoil or BP) found basis for the analysis. ISO 10418 (2003) helps the design team to implement safety functions in the P&IDs for the concerning system, and after all hazard identication is nished the LOPA is initiated. The further approach is similar to the approach presented in IEC 61511 (2003). Recommended LOPA approach A stepwise preferred (recommended) approach has been developed and each step described. The approach is clear, and all basic concepts claried. In the case study in Chapter 6 the need for more guidelines on how to credit IPLs has been identied, and this part needs to be improved. The preferred approach is an overall approach considering the planned / existing system without the proposed SIF. Several screening tools exists, but it is chosen to screen by consequence and SIL only. Conducting a risk graph-analysis for then to initiate a LOPA cause extra work and increased engineering cost. The approach is shown in Figure 4.1. Interfaces between LOPA and other risk analysis methods. Interfaces between LOPA and HAZOP has been identied, but other risk analysis methods have not been covered. Information in columns as consequence and possible causes in the HAZOP worksheet can be directly transferred to the LOPA worksheet. Information in the other columns may require transformation. This includes IPL PFD data and initiating cause frequency. The thoughts behind a software tool transferring, facilitating, and adjusting data have been presented. This includes a program specication and a simple illustration of a thought software program. The illustrated software program takes basis in automatic data transformation from HAZOP, IPL PFD and initiating cause frequency databases, and a risk matrix including the acceptance criteria. Linking all these aspects with a LOPA worksheet give the outline of the program. The illustrated program showed in Annex B seems reasonable, but should be evaluated more in detail. Expert judgment make an extensive amount of the analysis, and a program that learns by doing is benecial. An example is a program that has a database with previous analyzes, which provides previous information when a new analysis is performed, e.g. possible initiating causes of a specic type of valve. Discuss pros and cons related to LOPA Advantages and disadvantages of LOPA and especially the limitations of LOPA, have not been covered. 61
Discussion of the IPL concept and the applicability of LOPA in cases where the independence is violated IPL has been dened, exemplied, and discussed. In the case study the IPL concept has been applied to a practical system. CCFs have not been covered to a great extent, which should have been the case. IPL is dened as: Protection layer that is capable of preventing the process deviation from proceeding to the end-consequence regardless of other protection layers associated with the same impact event - initiating cause pair, and of the initiating event. It must lead to a risk reduction factor of at least 10, and fulll the specicity, independence, dependability and audibility criteria. The denition is clear, but it is still uncertain how to apply the concept of IPL in practice. Compare the applicability of LOPA in determining SIL, and compare LOPA with alternative approaches (incl. risk graphs). If possible, this evaluation should be rooted in a practical case study. The preferred approach, based on the literature study, has been applied to a combined system based on real systems by Aker Subsea and Aker E&T. The preferred approach was easy to use, but as mentioned the IPL concept was difcult to apply. Where to draw the line where a component is independent or not was the key issue throughout the case study. The case concluded that process understanding and knowledge of basic reliability concepts are important. This thesis may give some readers a more clear understanding of LOPA. The sections explaining and clarifying terms and the IPL discussion in the case study, may be a contribution to the LOPA discussion. Still, many of the issues need to be claried, and further work is recommended. Specic recommendations for further work are: More in depth analyzes of CCFs and IPLs. What is the effect of not considering CCFs? Guideline describing concept of IPL for different systems, with extended denition of IPL. HAZOP integration software tool prototype that includes advanced functions which incorporates expert judgment and previous analyzes. Combined framework of LOPA and HAZOP including a common terminology and worksheet. Extend the development of the preferred approach. Include risk acceptance criteria development. Comparison with the approach in BP (2006).
62
Bibliography
ACM Facility safety (2004). HAZOP / SIL analysis item and cost comparison - Traditional way vs. integrated SILCore approach. Advertorial, Safety Users Group. Retrieved on 03.04.08 from internet address: http://www. safetyusersgroup.com/documents/AD040001/EN/AD040001.pdf. ACM Facility Safety (2006). SIL Determination Techniques Report. "White Paper". Retrieved on 30.02.08 from internet address: http://www.iceweb.com.au/ sis/ACMWhite-PaperSILDeterminationTechniquesReportA4.pdf. Baybutt, P (2007). An improved Risk Graph Approach for Determination of . Safety Integrity Levels (SILs). Process Safety Progress, 26:6676. Bingham, K. and Goteti, P (2004). ISA (The Instrumentation, Systems, and Au. tomation Society) 2004. In Integrating HAZOP and SIL / LOPA analysis: Best practice recommendations. BP (2006). Guidance on Practices for Layer of Protection Analysis (LOPA). British Petroleum procedure: Engineering Technical Practice (ETP) GP 48-03, 1st edition. CCPS (2001). Layer of protection analysis - simplied process risk assessment. American Institute of Chemical Engineers (AIChE), Centre for Chemical Process Safety (CCPS). 3 Park Avenue, New York. Dowell, A. (1998). Layer of protection analysis for determining safety integrity level. ISA Transactions, 37:155165. Dowell, A. and Williams, T. (2005). Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data. Process Safety Progress, 24:3844. Ellis, G. and Wharton, M. (2006). Symposium Series No. 151, IChemE. In Practical experience in determining safety integrity levels for safety instrumented systems. Gowland, R. (2006). The accidental risk assessment methodology for industries (ARAMIS) / layer of protection analysis (LOPA) methodology: A step forward towards convergent practices in risk assessment? Journal of Hazardous Materials, 130:307310. 63
Harsem Lund, K. (2007). Alternative mter for SIL fastsettelse - en sammenligning (LOPA, Risk graf, OLF 070). In PDS forum, Trondheim. Scandpower, Kjeller. IEC 60300-3-9 (1995). Dependability management- Part 3: application guide section 9: Risk analysis of technological systems. International Electrotechnical Commission, Geneva. IEC 61508 (2003). Functional safety of electrical/electronic/programmable electronic safety-related systems. International Electrotechnical Commission, Geneva. IEC 61511 (1998-2003). Functional safety - safety instrumented systems for the process industry sector. International Electrotechnical Commission, Geneva. ISO 10418 (2003). Petroleum and natural gas industries - offshore installations Basic surface process safety systems. International Organization for Standardization, Geneva. Marszal, E. and Scharpf, E. (2002). Safety Integrity Level Selection - Systematic Methods Including Layer of Protection Analysis. The Instrumentation, Systems and Society (ISA). Research Triangle Park, NC. Nordhagen, L. (2007). Bruk av LOPA ved fastsettelse av IL krav, Aker Kvrner Engineering &Technology. In PDS forum, Trondheim. NORSOK Z-013 (2001). Risk and emergency preparedness analysis. Norwegian Technology Centre, Oslo. OLF 070 (2004). Application of IEC 61508 and IEC 61511 in the norwegian petroleum industry. OLF. Rausand, M. (2004). Reliability of safety systems (Slides). Retrieved on 28.02.08 from internet address: http://frigg.ivt.ntnu.no/ross/ slides/chapt10.pdf. Rausand, M. (2005). HAZOP - Hazard and Operability Study (Slides). Retrieved on 28.02.08 from internet address: http://frigg.ivt.ntnu.no/ ross/slides/hazop.pdf. Rausand, M. and Hyland, A. (2004). System Reliability Theory. Models, Statistical Methods, and Applications. 2nd edition John Wiley & Sons. Hoboken, NJ. Schnbeck, M. (2007). Introduction to reliability of safety systems, ROSS (NTNU) report 200702, NTNU, Trondheim. Technical report, NTNU, ROSS. Sklet, S. (2006). 2006:3, Safety Barriers on Oil and Gas Platforms. PhD thesis, NTNU.
64
Summers, A. (2003). Introduction to layers of protection analysis. Journal of Hazardous Materials, 104:163168. The Dow chemical company (2002). Introducing dow application of layer of protection analysis. In Introducing Dow Application of Layer of Protection Analysis - LOPA.
65
Appendix A
Basic concepts
Impact event Independent protection layer The rst sign of harm to people, environment or assets Protection layer that is capable of preventing a process deviation from proceeding to the endconsequence, regardless of other protection layers associated with the same impact event - initiating cause pair, and of the initiating event Direct reasons why the process deviation occur, not the most basic underlying root-causes Intermediate event is the occurrence of the endconsequence with the existing / planned protection layers in place, but without the SIF under consideration. The intermediate event likelihood is the frequency per year of the occurrence the this event Mitigated event is the occurrence of the endconsequence with all protection layers in place, including the proposed SIF. The mitigated event likelihood is the frequency per year of the occurrence the this event The rst signicant deviation from a normal situation that may lead to unwanted consequences Device, system or action that is capable of preventing a process deviation from proceeding to the end consequence The development from a process deviation to an impact event, including the causes leading to the process deviation
Scenario
66
Appendix B
Software schematic
Legend: Black circles Blue Circles Red circles Blue lines Pale yellow box Yellow box
- User input - Data cell - Calculation cell (output cell) - Data path (blue or black circle to red circle) - Button - Clicked button
67
68
69
70
71
72
Appendix C
73
74